[selinux-policy/f19] * Tue Dec 10 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.15 - Add file transition rules for con

Lukas Vrabec lvrabec at fedoraproject.org
Tue Dec 10 15:59:43 UTC 2013


commit d54e14600f96d7a51894996db4214730edf33d39
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Tue Dec 10 16:59:14 2013 +0100

    * Tue Dec 10 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.15
    - Add file transition rules for content created by f5link
    - Allow cloud_init to transition to rpm_script_t
    - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
    - Allow dkim-milter to create files/dirs in /tmp
    - Dontaudit mandb searching all mountpoints

 policy-f19-base.patch    |    6 ++++--
 policy-f19-contrib.patch |   27 ++++++++++++++++++---------
 selinux-policy.spec      |    9 ++++++++-
 3 files changed, 30 insertions(+), 12 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index e6a2495..342b464 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -35130,7 +35130,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..b82ccf1 100644
+index 6944526..0bd8d93 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35405,7 +35405,7 @@ index 6944526..b82ccf1 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -35473,6 +35473,8 @@ index 6944526..b82ccf1 100644
 +
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
++	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 43a7584..5344e2c 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -2329,7 +2329,7 @@ index 6f1384c..9f23456 100644
  	rpm_domtrans(anaconda_t)
 diff --git a/antivirus.fc b/antivirus.fc
 new file mode 100644
-index 0000000..e44bff0
+index 0000000..9d5214b
 --- /dev/null
 +++ b/antivirus.fc
 @@ -0,0 +1,43 @@
@@ -2354,10 +2354,10 @@ index 0000000..e44bff0
 +
 +/var/clamav(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
 +
-+
 +/var/amavis(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/amavis(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/clamav(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav-unofficial-sigs(/.*)?   gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/clamd.*					gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/opt/f-secure(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/spool/amavisd(/.*)?			gen_context(system_u:object_r:antivirus_db_t,s0)
@@ -11873,10 +11873,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..1ef78b0
+index 0000000..2f9ecfd
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,298 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -12038,6 +12038,7 @@ index 0000000..1ef78b0
 +
 +optional_policy(`
 +    rpm_domtrans(cloud_init_t)
++    rpm_transition_script(cloud_init_t)
 +    unconfined_domain(cloud_init_t)
 +')
 +
@@ -37342,10 +37343,10 @@ index 327f3f7..4f61561 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..7fee444 100644
+index 5a414e0..24f45a8 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -37392,6 +37393,7 @@ index 5a414e0..7fee444 100644
  
 -files_read_etc_files(mandb_t)
 +files_search_locks(mandb_t)
++files_dontaudit_search_all_mountpoints(mandb_t)
  
  miscfiles_manage_man_cache(mandb_t)
 +miscfiles_setattr_man_pages(mandb_t)
@@ -38044,10 +38046,10 @@ index cba62db..562833a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..db83591 100644
+index 92508b2..2213a03 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,110 @@
+@@ -1,77 +1,117 @@
 -policy_module(milter, 1.4.2)
 +policy_module(milter, 1.4.0)
  
@@ -38067,6 +38069,9 @@ index 92508b2..db83591 100644
 +type dkim_milter_private_key_t;
 +files_type(dkim_milter_private_key_t)
 +
++type dkim_milter_tmp_t;
++files_tmp_file(dkim_milter_tmp_t)
++
 +# currently-supported milters are milter-greylist, milter-regex and spamass-milter
  milter_template(greylist)
  milter_template(regex)
@@ -38126,6 +38131,10 @@ index 92508b2..db83591 100644
 -logging_send_syslog_msg(milter_domains)
 +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 +
++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
++
 +kernel_read_kernel_sysctls(dkim_milter_t)
 +
 +auth_use_nsswitch(dkim_milter_t)
@@ -38186,7 +38195,7 @@ index 92508b2..db83591 100644
  
  optional_policy(`
  	mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +112,45 @@ optional_policy(`
+@@ -79,30 +119,45 @@ optional_policy(`
  
  ########################################
  #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c57ac6d..e202e04 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.14%{?dist}
+Release: 74.15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Dec 10 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.15
+- Add file transition rules for content created by f5link
+- Allow cloud_init to transition to rpm_script_t
+- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
+- Allow dkim-milter to create files/dirs in /tmp
+- Dontaudit mandb searching all mountpoints
+
 * Tue Nov 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.14
 - Allow apmd to request the kernel load module
 - Allow sssd to request the kernel loads modules


More information about the scm-commits mailing list